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I. 


INTRODUCTION 


A,  PURPOSE 


Since  the  inception  of  classified  information,  individuals  and  organizations 
needed  to  be  able  to  access  information  at  multiple  elassification  levels  (domains).  This 
has  been  accomplished  over  the  years  by  using  separate  information  systems  for  each 
domain,  with  each  system  having  its  own  set  of  peripheral  devices.  By  separating  the 
domains  physically,  one  was  assured  that  data  of  a  higher  classification  would  not  be 
spilled  to  domain  of  a  lower  classification.  If  a  user  requires  access  to  several  different 
security  domains,  a  large  workspace  is  needed  to  accommodate  the  keyboard,  video 
display,  and  mouse  assoeiated  with  each  information  system. 

In  an  effort  to  minimize  the  amount  of  equipment  needed  to  access  multiple 
domains  from  a  single  workspace,  initiatives  like  the  One  Box  -  One  Wire  (OBI) 
program  are  currently  under  development  [1].  The  OBI  program  allows  multiple  domains 
to  be  built  into  one  box.  This  works  toward  the  solution  of  minimized  equipment,  but  it 
does  not  solve  the  problem  of  peripheral  devices  such  as  mice,  keyboards,  and  monitors 
that  are  used  as  input/output  devices.  The  eurrent  system  setup  still  involves  a  mouse, 
keyboard,  and  monitor  for  each  domain  installed  in  an  OBI  system.  Figure  1  depicts  an 
over  exaggerated  view  of  what  a  desktop  with  multiple  systems  connected  to  different 
domains  would  look  like. 


Figure  1.  Desktop  Before  Implementing  a  KVM  switch  i 


1  Image  available  at  http://www.blackbox.co.uk/images/technical/techoverviews/kvm- 
switch_before.jpg. 
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Figure  2.  Basic  KVM  Illustration^ 

The  use  of  a  Keyboard,  Video,  and  Mouse  (KVM)  Switch  provides  a  solution  to 
overcrowded  desk  space.  A  KVM,  or  Peripheral  Sharing  Switch  (PSS)  [2],  allows  a 
single  set  of  human  interface  devices  to  be  shared  among  two  or  more  computers.  A  set 
of  human  interface  devices  could  consist  of  a  Universal  Serial  Bus  (USB)  keyboard,  a 
USB  mouse,  and  a  Digital  Video  Interface  (DVI)  or  Video  Graphics  Array  (VGA) 
monitor.  However,  a  KVM  can  also  provide  ports  to  attach  input  and  output  audio 
devices,  other  USB  devices  such  as  but  not  limited  to  printers,  common  access  card 
(CAC)  readers,  and  flash  memory,  and  serial  keyboards  and  mice. 

Traditional  KVMs  are  available  commercially  and  are  commonly  used  today  in 
configurations  that  share  peripheral  input  devices  across  multiple  systems  of  the  same 
classification  level.  However,  there  are  very  few  solutions  that  are  able  to  or  attempt  to 
attain  a  certification  level  that  is  acceptable  in  a  system  with  multiple  computers  with 
differing  classification  levels  due  to  the  high  cost  and  robust  design  processes  that  must 
be  followed  to  obtain  an  acceptable  certification  level. 

B,  OBJECTIVES 

The  objective  of  this  paper  is  to  lay  the  groundwork  for  building  a  secure  KVM 
capable  of  working  in  a  multi-level  secure  environment.  This  will  be  accomplished  by 
the  following; 

•  Compare  several  products  that  are  commercially  available  and  identify 
possible  weaknesses  in  these  products. 


2  Image  available  at  http://en.wikipedia.org/wiki/KVM_switch 
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•  Derive  requirements  of  a  seeure  KVM  to  ensure  no  loss  of  eonfidentiality  or 
integrity. 

•  Create  a  design  proposal  to  inelude  potential  improvements  of  eurrent 
teehnology. 

C.  SCOPE 

A  basie  KVM  allows  a  single  monitor,  mouse,  and  keyboard  to  be  used  to  switeh 
between  multiple  eomputers  at  the  push  of  a  button.  However,  the  researeh  eontained 
within  this  paper  will  eoneentrate  only  on  switehing  the  keyboard  and  mouse  eonneetion 
between  the  attaehed  eomputers. 

Video  switehing  eapability  is  outside  the  seope  of  the  work  deseribed  here.  The 
video  portion  needed  to  eomplete  the  KVM  will  be  assumed  to  be  a  blaek  box  that  will 
seeurely  switeh  between  multiple  seeurity  domains  without  loss  of  eonfidentiality  or 
integrity.  The  eapability  to  share  audio  input/output  deviees  will  also  be  outside  the 
seope  of  this  researeh  paper. 

D,  METHODOLOGY 

The  Twin  Peaks  Model  “intertwines  requirements  and  arehiteetures  to  aehieve 
ineremental  development  and  speedy  delivery”  [3].  This  method  of  development 
provides  improvements  over  the  Waterfall  Model  [4]  and  the  Spiral  Life-Cyele  Model  [5] 
by  allowing  the  system  to  evolve  without  anehoring  the  design  to  rigid  requirement 
doeuments  that  may  not  eonsider  the  arehiteeture  of  the  system  and  deereasing  the 
amount  of  time  to  move  from  the  requirements  phase  to  the  produetion  phase.  Using  the 
Twin  Peaks  approaeh,  the  requirements  were  refined  based  on  arehiteetural  deeisions. 
Some  of  the  arehiteetural  deeisions  were  based  on  seeurity  eoneems,  but  others  evolved 
based  on  the  user’s  experienee  with  other  KVMs. 

To  understand  the  eore  requirements  of  the  switeh,  baekground  information  is 
required  sueh  as  what  defines  a  KVM  switeh,  a  detailed  review  of  the  USB  speeifieation, 
and  eomparisons  to  eommereially  available  KVMs.  The  eore  requirements  lead  to 
derived  requirements  and  design  ehoiees  as  the  internal  and  external  interfaees  and 
different  eomponents  of  the  switeh  are  defined.  As  eaeh  eomponent  is  defined,  a  state 
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diagram  is  included  to  show  the  reader  the  functions  that  the  component  is  to  perform. 
The  state  diagrams  evolve  as  the  functionality  of  each  component  evolves  through  the 
derived  requirements  and  design  ehoices.  Data  flow  diagrams  are  included  in  the 
Appendix  B  to  show  what  information  is  passed  between  the  different  components. 
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II.  BACKGROUND  AND  HISTORY 


A.  WHAT  IS  A  KVM  SWITCH? 

A  KVM  switch  is  a  device  that  allows  a  single  keyboard,  monitor,  and  mouse  to 
be  shared  among  multiple  computers.  The  user  traditionally  seleets  which  computer  will 
receive  input  and/or  output  from  the  peripheral  devices  on  the  switeh  via  a  push  button  or 
rotary  knob;  however,  some  switches  do  allow  switehing  via  keyboard  shortcuts.  A 
keyboard  shortcut  is  a  specific  sequence  of  keystrokes  that  triggers  the  switch’s  internal 
mechanisms  to  perform  a  designated  funetion.  In  this  case,  the  function  is  switching  from 
one  eomputer  to  the  next  computer. 

B,  KVM  SWITCH  TYPES 

1.  Passive  Switch 

The  first  KVM  switches  were  passive  mechanical  devices.  By  turning  a  knob  on 
the  front  of  the  device,  the  user  completes  the  electrieal  circuit  needed  for  the  peripheral 
devices  to  interact  with  the  attaehed  eomputer.  The  completion  of  the  cireuit  looks  to  the 
computer  as  if  the  peripheral  devices  are  being  plugged  in  to  the  computer  direetly. 
Likewise,  when  the  computer  is  deselected,  the  eomputer  thinks  the  peripheral  deviees 
were  unplugged  directly  from  the  eomputer.  The  major  problem  with  the  passive  type  of 
KVM  is  that  many  computers  will  not  boot  properly  if  a  keyboard  is  not  detected  during 
the  boot  sequence,  and  thus,  unless  the  eomputer  is  selected  via  the  KVM  prior  to 
initiating  the  computer’s  boot  sequence,  the  computer  will  enter  into  an  error  state  and 
halt  the  boot  sequence. 

Another  issue  inherit  with  passive  switehes  is  that  they  rely  on  contact  points  to 
complete  the  eleetrical  path.  The  contact  points  wear  down  over  time  and  eventually  lose 
the  ability  to  properly  connect.  Passive  KVM  switehes  can  still  be  purehased  from 
electronies  stores  as  they  provide  basie  functionality  to  meet  many  users’  needs  and  are 
relatively  inexpensive. 

The  basic  security  principles  of  a  passive  switeh  consist  of  security  by  separation. 
The  physical  connections  for  each  computer  are  designed  in  sueh  a  way  as  to  ensure  only 
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a  single  computer  can  connect  to  the  attached  peripheral  devices.  However,  as  previously 
stated,  only  that  computer  will  be  able  to  detect  a  mouse  and  keyboard  during  the  boot 
cycle. 


2,  Active  Switch 

An  active  switch  differs  from  a  passive  switch  in  that  it  uses  electricity  to  power 
the  electronic  circuits  within  the  switch.  The  electronic  circuits  allow  active  switches  to 
combat  the  main  problems  that  plague  passive  switches.  An  active  switch  can  emulate 
the  peripheral  devices  to  allow  a  computer  that  is  not  currently  selected  to  boot  properly 
by  registering  as  both  a  generic  mouse  and  keyboard  or,  in  some  cases  as  the  actual 
make/model  of  the  attached  mouse  and  keyboard.  Also,  by  using  electronic  circuits,  the 
contact  points  can  that  wear  down  over  time  causing  the  passive  switch  to  fail  are  no 
longer  an  issue. 

Most  modem  day  KVM  switches  are  active  and  support  USB  interfaces  because 
the  user  wants  a  friendlier  switch  that  will  not  completely  disconnect  the  mouse  and 
keyboard  from  the  non-selected  computers.  As  mentioned  above,  the  user  also  does  not 
have  to  worry  about  which  computer  is  currently  selected  when  booting  the  systems. 
Below  we  describe  several  existing  USB  KVMs. 

a.  Avocent  SC4-UAD  KVM  Switch 

The  Avocent  SC4-UAD  KVM  Switch  was  evaluated  in  2007  to  be 
National  Information  Assurance  Partnership  (NIAP)  certified  at  Evaluation  Assurance 
Level  43  (EAL4),  meaning  that  the  switch  was  methodically  designed,  tested,  and 
reviewed  [6].  The  reviewer  noted  that  the  manufacturing  process  could  lead  to 
compromised  switches  because  of  the  Elash  ROM  used  in  the  switch,  and  because  “the 
isolation  tests  performed  by  NSA  172  show  that  the  SC4-UAD  does  not  meet  certain 
specifications  for  signal  separation”  [7].  The  switch  contains  some  of  the  properties,  as 


3  The  National  Information  Assurance  Partnership’s  Common  Criteria  for  Information  Technology  Security 
Evaluation  [6]  states  that  “EAL4  permits  a  developer  to  gain  maximum  assurance  from  positive  security 
engineering  based  on  good  commercial  development  practices  which,  though  rigorous,  do  not  require 
substantial  specialist  knowledge,  skills,  and  other  resources.” 
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well  as  lessons  learned,  that  this  paper  will  address  as  describing  requirements  for  a 
secure  keyboard  and  mouse  switch. 

b.  BAE  Systems  Interactive  Link 

The  BAE  Systems  Interactive  Link  device  combines  a  KVM  switch  with  a 
one  way  diode  to  allow  control  of  both  a  low-side  computer  over  a  low-side  network  and 
a  secure  window  server.  The  Interactive  Link  device  was  evaluated  at  EAL5  meaning 
that  the  device  was  semi-formally  designed  and  tested.  However,  the  device  deviates 
from  the  traditional  design  of  a  KVM  by  requiring  the  use  of  software  on  the  “high-side” 
computer  that  will  allow  keyboard,  mouse  and  video  traffic  to  be  visually  displayed  from 
a  “low-side”  computer  on  the  high-side  computer.  Essentially,  this  device  creates  a 
secure  “remote  desktop”  experience  for  a  user  on  a  classified  network  to  access  server  or 
servers  on  a  network  of  a  lower  classification  [8]. 

c.  Belkin  OmniView  Secure  KVM 

Similar  to  the  Avocent  SC4-UAD  KVM  Switch,  the  Belkin  OmniView 
Secure  KVM  was  evaluated  in  2009  to  be  NIAP-certified  at  EAL4,  and  the  switch 
contains  many  of  the  properties,  as  well  as  lessons  learned,  that  this  paper  will  address  as 
requirements  for  our  KVM  switch  [9],  [10]. 

C.  USB  SPECIFICATION 

As  the  USB  specification  is  the  standard  for  peripheral  devices,  specifically  for 
keyboards  and  mice,  the  switch  defined  within  this  paper  will  utilize  USB  ports  to 
connect  both  the  peripheral  devices  and  the  computers  to  the  switch.  Thus,  an 
understanding  of  the  USB  specification  is  necessary  to  ensure  proper  controls  are  put  in 
place  to  assure  high  robustness  in  the  design. 

The  USB  specification  was  initially  designed  by  seven  companies  looking  to 
make  it  easier  for  external  devices  to  connect  to  computers.  Before  the  introduction  of 

^  The  National  Information  Assurance  Partnership’s  Common  Criteria  for  Information  Technology 
Security  Evaluation  [6]  states  that  “EAL5  permits  a  developer  to  gain  maximum  assurance  from  security 
engineering  based  upon  rigorous  commercial  development  practices  supported  by  moderate  application  of 
specialist  security  engineering  techniques.” 
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USB,  external  deviees  were  designed  with  proprietary  ports  and  proprietary  protoeols. 
Only  the  computers  designed  for  the  use  of  those  devices  could  use  these  devices.  The 
industry  saw  the  need  to  create  a  standard  that  would  allow  an  external  device  to  connect 
to  any  computer  without  the  need  for  expensive  add-on  cards  or  complicated  software. 

The  USB  bus  is  host  centric,  meaning  that  the  host  is  the  “initiator”  of  all  protocol 
activities.  The  host  sends  requests  to  the  USB  hub.  The  hub  acknowledges  that  it 
received  a  request  but  does  not  respond  with  the  answer  to  the  request  from  the  end  point 
until  the  host  again  asks  the  hub  for  information.  When  an  endpoint  sends  data,  the  last 
data  packet  contains  all  zeroes  to  tell  the  host  that  it  is  the  last  packet  in  that  segment. 

A  hub  can  provide  the  ability  to  increase  the  number  of  USB  ports  available  to  a 
host,  and  multiple  hubs  can  be  linked  together  to  form  a  chain  between  the  host  and 
endpoint.  Each  hub  typically  has  a  single  upstream  port  and  multiple  downstream  ports. 
A  hub’s  upstream  port  connects  to  either  a  downstream  port  of  the  host’s  USB  host 
controller  or  a  downstream  port  of  another  hub’s  USB  function  controller.  As  detailed  by 
the  USB  specification,  only  126  peripheral  devices,  including  hubs,  can  be  attached  to  a 
single  USB  host  controller  [11]. 

1,  USB  Transaction  Types 

USB  transactions  are  similar  to  network  packets  flowing  between  devices.  Each 
transaction  contains  packets  used  to  either  setup  the  connection  between  devices  and  host 
or  deliver  data  to  the  device  or  the  host.  The  USB  specification  [11]  defines  three 
transaction  types: 

•  IN 

•  OUT 

•  Setup 

The  Message  Sequence  Chart  (MSC)  diagrams  included  in  this  section  are  taken 

from  the  “Universal  Serial  Bus  Specification  Revision  2.0”  [11]  where  more  detailed 
information  can  be  obtained.  An  MSC  is  used  “to  describe  the  interaction  between  a 
number  of  independent  message-passing  instances  [12].” 
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a.  IN  Transaction  Type 

The  IN  transaction  type  allows  data  that  originates  from  the  endpoint  to  be 
delivered  to  the  host.  The  host  must  first  send  a  request  to  the  endpoint  requesting  data 
from  the  endpoint  starting  with  a  start  split  (S  SPLIT)  packet  and  an  IN  packet.  The  hub 
then  sends  an  acknowledgement  (ACK)  to  the  host  upon  receiving  the  request  but  prior  to 
forwarding  the  request  on  to  the  endpoint.  The  endpoint  responds  to  the  host’s  request 
with  data  packets  or  a  Negative  Acknowledgement  (NAK)  packet  if  there  is  no  data 
available  to  send  to  the  host. 


I  I  I 


Figures.  USB  IN  MSC.  From  [1 1] 

As  with  any  sequence  based  protocol,  data  transfer  errors  can  and  do 
occur.  If  the  error  occurs  between  the  host  and  the  hub,  the  host  will  automatically 
resend  the  request  up  to  a  maximum  of  three  attempts  if  it  doesn’t  receive  a  response  after 
a  set  amount  of  time.  The  hub  will  pass  along  the  request  to  the  endpoint  once  received. 
If,  however,  an  error  occurs  after  the  endpoint  has  acknowledged  the  host’s  request  and 
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the  host  is  now  asking  to  complete  the  split  (CSPLIT)  packet,  the  hub  will  respond  with  a 
no  response  yet  (NYET)  packet  telling  the  host  that  the  request  was  accepted  but  it  has 
not  yet  received  any  information  from  the  endpoint.  The  host  will  then  know  to  resend 
the  CSPLIT  command  at  a  later  time. 


b.  OUT  Transaction  Type 


The  OUT  transaction  type  permits  data  to  be  transmitted  from  the  host  to  a 
device.  The  host  sends  the  data  to  the  device,  and  the  device  responds  with  an  ACK 
packet  if  successful  or  a  NAK  packet  if  an  error  occurred  during  the  transaction. 


Host 

Hub 

Device 

I 


I 


Figure  4.  USB  OUT  MSC.  From  [11] 
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c.  Setup  Transaction  Type 

The  Setup  transaetion  type  is  similar  to  the  OUT  transaetion  type,  exeept 
that  a  device  must  accept  and  respond  to  a  Setup  transaction  packet. 


Host 

Hub 

Device 

SETUP 
Data  0, 

Ack 


Figure  5.  USB  Setup  MSC.  From  [11] 
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III.  EXTERNAL  INTERFACES 


A  typical  KVM  switch  defines  the  external  interfaees  to  be  ports  for  connecting 
input  devices  sueh  as  keyboards  and  mice,  port  or  ports  for  conneeting  each  computer, 
switehing  deviees  sueh  as  buttons,  indieators  to  show  which  computers  are  connected, 
indicators  to  show  which  computer  is  currently  selected,  and  a  port  to  eonnect  to  a  power 
supply.  Figure  6  and  Figure  7  depiet  a  generie  2-port  KVM.  The  keyboard  and  mouse 
ports  on  the  front  of  the  switch  are  part  of  the  Input  Peripheral  Port  Group  (IPPG).  On 
the  baek  of  the  switeh,  the  port  used  to  conneet  to  the  computer  is  designated  as  the 
Computer  Peripheral  Port  (CPP).  A  2-port  KVM  has  two  distinct  CPPs  with  a  selection 
device  used  to  switch  between  the  two  CPPs. 


Keyboard 

Mouse 

Port 

Port 

IPPG 


Figure  6.  2-port  KVM;  Front 


CPP  1 


POWER 

IN 


Figure  7.  2-port  KVM;  Baek 
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IV.  USE  CASE  SCENARIOS 


The  following  use  ease  scenarios  will  help  to  define  the  requirements  of  the 
system.  Some  of  the  cases  will  describe  the  flow  of  a  user  interacting  with  the  system 
with  a  MSC  depicting  the  flow  of  information,  but  other  cases  will  simply  provide  a 
description  of  the  functionality  provided  by  the  switch. 

A  use  case  scenario  describes  the  interaction  between  a  user  and  a  system.  Each 
scenario  describes  inputs  into  the  system,  either  external  or  internal,  and  their  expected 
outcomes.  An  external  input  can  be  described  as  any  action  performed  that  originates 
from  the  outside  of  the  physical  system.  Likewise,  an  internal  input  describes  any  action 
performed  by  the  system  that  originates  from  within  the  physical  system.  An  internal 
input  is  usually  the  result  of  or  an  output  from  an  external  input. 

A,  INITIAL  SETUP 

In  this  section,  we  describe  how  the  user  interacts  with  our  proposed  KVM  during 
the  initial  setup  phase  by  using  the  written  guidance  provided  with  a  specific  switch.  The 
installer  connects  the  user’s  keyboard  and  mouse  cables  to  the  IPPG  on  the  switch.  The 
installer  connects  each  of  the  user’s  computers  (1  to  n)  to  the  corresponding  CPP,  labeled 
1  to  n,  on  the  switch.  The  installer  will  use  two  cables,  one  for  the  mouse  and  one  for  the 
keyboard.  The  installer  labels  the  buttons  (1  to  n)  on  the  front  panel  of  the  switch  with 
the  identity  of  the  corresponding  computer  (e.g..  Computer  1/Computer  2).  Note:  This 
cabling  may  be  connected  in  any  order,  but  it  will  be  assumed  that  the  user  will  correctly 
connect  the  cables.  Lastly,  the  installer  connects  the  switch’s  power  cable  to  the  power 
outlet. 

B,  POWER-ON  CYCLE 

The  system  can  be  described  as  having  two  distinct  power-on  cycles.  Either  the 
switch  is  powered  on  prior  to  one  or  more  of  the  computers  connected  to  it,  or  one  or 
more  of  the  computers  are  powered  on  before  the  switch.  Below  we  describe  each  of 
these. 
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1,  Power-On  Switch  before  Computers 

Following  the  Initial  Setup  phase,  the  user  turns  the  switeh  on  by  plugging  in  the 
switch’s  power  cable.  We  assume  that  there  is  no  separate  “on-off’  switch.  During  the 
switch’s  boot  cycle,  the  switch  will  initialize  and  set  up  the  pathway  between  the  IPPG 
and  the  attached  keyboard  and  mouse.  At  some  point  in  time  following  the  initialization 
of  the  switch’s  power  on  cycle,  the  user  will  power  on  any  number  of  the  computers  (1  to 
n).  During  each  computer’s  boot  cycle,  the  computer  will  communicate  with  the  switch 
to  initialize  and  set  up  the  pathway  between  the  computer  and  the  CPP  over  the  attached 
cables.  The  computer(s)  will  see  the  switch  ports  as  a  generic  hub  with  a  generic  mouse 
and  keyboard  attached  to  it.  The  switch  will  provide  a  visual  indication  to  the  user  once 
the  switch  detects  the  computer(s)  are  connected  and  powered  on.  The  sequence  of 
operations  is  described  in  the  message  sequence  chart  show  in  Figure  8. 


Figure  8.  Message  Sequence  Chart:  Switch  Powered  On  before  Computer(s) 
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2,  Power-On  Computers  before  Switch 

In  this  scenario,  the  user  does  an  “Initial  Setup”  before  plugging  in  the  KVM. 
Following  the  “Initial  Setup”  phase,  the  user  then  powers  on  any  number  of  the 
eomputers  (1  to  n).  Since  the  KVM  is  unpowered,  no  physieal  keyboard  or  mouse  is 
visible  to  the  computer.  So  that  the  computer(s)  ean  boot  properly,  the  switch’s  CPP 
emulates  a  physical  keyboard  and  mouse.  The  computer  “thinks”  it  is  creating  a  pathway 
between  itself  and  a  physical  keyboard  and  mouse  through  the  switch’s  CPP.  At  some 
point  the  user  then  powers  on  the  switch  by  plugging  in  the  switch’s  power  cable.  During 
the  switeh’s  boot  cyele,  the  switch  tears  down  the  temporary  pathway  between  the 
computer(s)  and  the  emulated  keyboard  and  mouse.  The  switch  then  allows  a  new 
pathway  between  the  computer(s)  and  CPP(s)  to  be  setup.  Also  during  the  switch’s  boot 
cycle,  the  switch  will  initialize  and  set  up  the  pathway  with  the  attaehed  keyboard  and 
mouse.  Upon  completion  of  the  eomputer’s  boot  cycle,  the  switch  will  visually  show 
which  computers  are  attached  and  powered  on.  By  default,  no  computer  will  be  selected 
as  the  default  pathway  and  thus  the  switch  will  wait  for  the  user  to  seleet  a  computer  for 
use  before  setting  up  the  pathway  between  the  attached  keyboard  and  mouse  and  any  of 
the  eomputers.  This  process  is  shown  in  the  message  sequence  ehart.  Figure  9. 


(.. - Setup - I  '  ^1 

i  i  i  i 


Figure  9.  Message  Sequenee  Chart:  Computer(s)  Powered  On  before  Switch 
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c. 


STANDARD  OPERATION 


During  “Standard  Operation”  we  assume  that  one  or  more  computers,  a  keyboard, 
and  (optionally)  a  mouse  are  connected  properly  to  the  KVM  and  that  the  switch  and 
computers  have  been  powered  on  using  one  of  two  methods  described  above.  The  user 
presses  one  of  the  buttons  (1  to  n)  on  the  switch  that  correlates  to  an  attached  computer. 
The  goal  is  to  establish  a  connection  between  the  attached  computer  and  the  keyboard 
and  mouse.  The  switch  will  visually  show  which  button  is  currently  selected  while  the 
data  pathway  is  setup.  The  switch  will  initialize  and  setup  the  data  pathways  between  the 
attached  keyboard  and  mouse  and  the  selected  computer.  As  soon  as  the  pathway  is 
correctly  set  up,  the  switch  will  visually  show  to  the  user  that  the  user  is  now  able  to  send 
input  to  the  attached  computer  via  the  keyboard  and  mouse.  At  some  point,  the  user  will 
press  a  different  button  on  the  switch.  The  switch  will  visually  show  which  button  is 
currently  selected.  The  switch  will  tear  down  the  pathway  from  the  Keyboard/Mouse  and 
the  previously  selected  computer,  ensuring  no  residual  data  can  flow  to  the  newly 
selected  computer.  The  switch  then  proceeds  to  setup  the  pathway  between  the 
Keyboard/Mouse  and  the  newly  selected  computer.  The  switch  will  visually  show  to  the 
user  that  the  user  is  now  able  to  send  input  to  the  attached  computer  via  the  keyboard  and 
mouse.  The  sequence  of  operations  is  described  in  the  message  sequence  chart  show  in 
Figure  10. 
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i  i  i  i  i 

Figure  10.  Message  Sequence  Chart:  Standard  Operation 


D.  THE  CURRENTLY  SELECTED  COMPUTER  IS  SELECTED  AGAIN  BY 
THE  USER 

At  some  point  during  the  standard  operation  scenario,  the  user  may  reselect  the 
currently  selected  computer.  The  switch  shall  disregard  the  user’s  request  as  no  action  is 
required. 


E.  KEYBOARD  AND/OR  MOUSE  IS  PLUGGED-IN  OR  UNPLUGGED 
AFTER  THE  SWITCH  IS  POWERED  ON 

If  the  attached  keyboard  and/or  mouse  disconnects  from  the  switch,  the  switch 
will  tear  down  the  connection  between  the  keyboard  and  mouse.  If  a  computer  is  selected 
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while  the  keyboard  and/or  mouse  are  disconnected,  then  the  switch  will  setup  the  generic 
keyboard  and  mouse  emulation.  The  user  is  then  free  to  reconnect  the  same  or  different 
keyboard/mouse  to  the  switch.  Once  connected,  the  switch  will  initialize  and  setup  the 
connection  with  the  keyboard  and/or  mouse.  If  a  computer  is  currently  selected,  the 
switch  will  setup  the  pathway  between  the  Keyboard/Mouse  and  the  currently  selected 
computer. 

F.  CURRENTLY  SELECTED  COMPUTER  IS  DISCONNECTED  FROM 
THE  KVM 

If  an  attached  computer,  which  is  the  currently  selected  computer,  is  powered  off 
or  otherwise  disconnects  from  the  switch,  the  switch  will  tear  down  the  pathway  from  the 
Keyboard/Mouse  and  the  currently  selected  computer.  The  switch  will  no  longer  visually 
show  the  currently  selected  computer  as  a  viable  option  and  will  reset  the  ports  in 
anticipation  of  a  different  computer  connecting  to  them.  The  user  will  need  to  select 
another  computer  for  use. 

G.  ADDITIONAL  COMPUTER(S)  ARE  CONNECTED  TO  THE  SWITCH 
AFTER  A  PREVIOUSLY  ATTACHED  COMPUTER  IS  SELECTED 

A  computer  is  powered  on  and  attached  to  the  switch  after  the  switch  is  powered 
on  and  after  a  separate  computer  is  powered  on,  attached  to  the  switch,  and  selected  via 
the  switch’s  front  panel  button.  The  newly  attached  computer  will  detect  the  switch  as  a 
powered  hub  with  a  generic  keyboard  and  mouse  attached  to  the  hub.  Once  the  switch 
detects  the  computer  is  connected  and  powered  on,  the  switch  will  visually  show  that  the 
computer  is  attached  and  powered  on. 

H.  COMPUTER  NOT  CURRENTLY  SELECTED  IS  DISCONNNECTED 
FROM  THE  SWITCH 

If  an  attached  computer  that  is  not  currently  selected  is  powered  off  or  the 
computer’s  cables  are  disconnected,  the  switch  will  tear  down  the  connection  between  the 
computer’s  cables  and  the  switch  ports  and  reset  those  ports  in  anticipation  of  a  possibly 
different  computer  connecting  to  them.  The  switch  will  also  no  longer  visually  represent 
the  disconnected  computer  as  a  viable  choice. 
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I.  THE  SWITCH  LOSES  POWER 

If  the  switch  loses  power  without  the  user  unplugging  the  power  cable,  the  switch 
will  not  gracefully  shutdown.  All  pathways  between  the  attached  computers  and  the 
switch  as  well  as  the  switch  and  the  attached  keyboard  and  mouse  will  be  terminated. 
Any  computer  attached  to  the  switch  that  is  currently  powered  on  will  be  responsible  for 
providing  power  to  its  respective  CPP.  The  switch’s  CPP  will  use  the  supplied  power 
over  the  attached  cables  to  emulate  an  attached  Keyboard/Mouse.  The  switch  will  not 
visually  represent  which  computers  are  attached  and  powered  on. 

J.  FAIL  SECURE 

In  the  unlikely  event  that  some  part  of  the  switch  malfunctions  or  otherwise 
becomes  inoperable,  the  switch  shall  fail  secure.  The  secure  failure  state  shall  be  defined 
as  “no  data  shall  be  allowed  to  flow  through  the  switch.”  To  mitigate  the  potential  of  a 
component  failing,  the  switch  shall  be  designed  and  built  using  reliable  hardware. 
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V.  MISUSE  CASE  SCENARIOS 


Use  case  scenarios  are  helpful  to  describe  how  the  user  is  intended  to  utilize  the 
switch  in  day-to-day  operations,  however,  certain  situations  should  be  considered  to 
ensure  the  integrity  of  the  switch  is  maintained.  These  misuse  case  scenarios,  describe 
when  the  user,  either  intentionally  or  unintentionally,  attempts  to  use  the  switch  in  a 
manner  that  is  prohibited  by  security  posture  of  the  switch.  The  switch  should  be  able  to 
detect  these  events  and  prevent  them  from  occurring. 

A,  UNAUTHORIZED  DEVICE  IS  PLUGGED  INTO  THE  KEYBOARD 
AND/OR  MOUSE  PORT 

A  user  may  try  to  plug  in  a  non-approved  device  into  the  keyboard  and/or  mouse 
port  during  standard  operation.  The  switch  will  detect  the  unapproved  device  and  disable 
the  port.  The  switch  will  re-enable  the  disabled  port  upon  detection  of  a  new,  approved 
device  connecting  to  the  port. 

B,  THE  CURRENTLY  SELECTED  COMPUTER  SENDS  DATA  PACKETS 
INTENDED  FOR  A  NON-HUMAN  INTERFACE  DEVICE  (HID) 

The  currently  selected  computer,  either  through  error  or  malicious  activity,  may 
try  to  send  data  packets  that  a  HID  device  should  not  receive,  such  as  data  intended  for  a 
storage  device.  The  switch  shall  drop  these  packets  before  they  are  allowed  to  reach  the 
attached  keyboard  and/or  mouse. 
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VI.  REQUIREMENTS  AND  ARCHITECTURAL 

REFINEMENTS 

Requirements  are  essential  to  creating  an  accurate  and  complete  design.  A  design 
without  requirements  has  no  purpose  and  can  never  be  considered  complete. 
Requirements  provide  test  accuracy  by  which  a  system  or  design  can  be  verified  for 
correctness.  There  are  many  types  of  requirements  that  can  be  assigned  to  a  system  from 
basic  functionality  to  specific  architecture  requirements. 

The  basic  or  functional  requirements  define  the  core  functionality  of  the  system. 
Engineers  and  architects  take  the  core  requirements  and  start  to  implement  them  within  a 
physical  design.  During  the  design  process,  additional  requirements  or  derived 
requirements  may  surface  based  on  architectural  decisions  or  constraints.  ^ 

In  this  section,  each  requirement  is  defined  and  then  discussed.  State  diagrams 
are  included  and  are  expounded  upon  as  requirements  mature  or  additional  requirements 
are  added  to  the  components  of  the  switch.  From  the  core  requirements  derived 
requirements  and  design  choices  will  be  introduced  with  diagrams  of  the  switch 
components,  the  components’  state  diagrams,  and  tables  describing  the  variables  used  in 
the  state  diagrams  to  help  guide  the  reader. 

A,  CORE  REQUIREMENTS 

The  main  purpose  of  the  switch  is  to  provide  the  ability  for  a  number  of 
computers  to  be  connected  to  a  single  keyboard  and  single  mouse.  However,  only  one  of 
the  attached  computers  should  be  allowed  to  communicate  with  the  keyboard  and  mouse 
at  any  given  point  in  time. 

C-1.  The  switch  shall  enable  communication  hetween  a  keyboard  and  a 
mouse  and  at  most  one  computer  connected  to  the  switch  at  a  given 
point  in  time. 


^  Core  requirements,  derived  requirements,  and  design  choices  are  denoted  by  “C-xx”,  “D-xx”,  and 
“DC-xx,”  respectively. 
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Now  that  the  base  funetionality  of  the  switeh  has  been  defined,  the  seeurity 
posture  should  be  established.  This  will  ensure  that  data  flows  are  well  defined  and  all 
external  interfaces  are  secured. 

C-2,  Prevent  communication  via  the  switch  hetween  attached  computers. 

The  switch  is  not  intended  to  be  a  data  transfer  device  and  should  not  allow  any 
data  to  pass  between  computers  either  directly  or  indirectly.  If  a  user  should  wish  to 
move  data  between  the  attached  computers,  the  user  should  find  another  means  to  do  so, 
such  as  over  a  network,  through  a  Cross  Domain  Solution,  or  via  external  media  (i.e., 
CD/DVD  or  external  hard  disk  drive). 

Devices,  such  as  CAC  Readers,  may  be  required  to  access  a  particular  system  or 
service  that  is  provided  by  one  or  more  of  the  attached  computers.  Other  devices,  such 
as  hubs  and  splitters,  allow  the  number  of  defined  ports  on  the  switch  to  be  increased  so 
that  more  peripheral  devices  can  be  attached  to  the  switch.  However,  devices  such  as 
these  will  not  be  allowed  to  communicate  through  the  switch. 

C-3,  The  switch  shall  not  allow  communications  with  peripheral  devices 
connected  to  the  IPPG  other  than  a  keyboard  on  the  keyboard  port 
and  a  mouse  on  the  mouse  port. 

Along  with  the  core  functionality  and  security  requirements,  the  switch  will  need 
to  provide  a  way  for  a  user  to  select  which  computer  is  permitted  to  communicate  with 
the  keyboard  and  mouse.  This  should  give  the  user  confidence  that  the  keyboard  and 
mouse  will  be  interacting  with  the  correct  computer. 

C-4.  The  switch  shall  allow  the  user  to  select  the  computer  to  be  paired 
with  the  attached  keyboard  and  mouse. 

Once  the  user  has  selected  a  computer  with  which  to  interact,  the  user  may,  at 
some  point,  need  to  be  reminded  which  computer  is  actively  paired  with  the  mouse  and 
keyboard.  This  indicator  will  also  be  useful  for  a  new  user  accessing  the  switch  and 
computers  to  instantly  know  which  of  the  computers,  if  any,  are  actively  paired  with  the 
keyboard  and  mouse. 
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C-5,  The  switch  shall,  indicate  which  computer,  if  any,  is  paired  with  the 
attached  keyboard  and  mouse. 

The  switch  needs  to  operate  transparently  and  allow  the  connected  external 
computer  systems  to  operate  normally.  At  startup,  most  computer  basic  input/output 
systems  (BIOS)  run  diagnostic  checks  to  determine  if  a  keyboard  is  attached  and  if  the 
keyboard  is  functioning  properly.  If  the  computer’s  BIOS  does  not  detect  a  keyboard 
attached  to  the  system  during  startup,  the  system  will  normally  halt  any  further 
operations.  The  switch  will  function  in  such  a  way  as  to  prevent  this  error  condition  from 
occurring  while  the  switch  is  in  either  state,  powered  on  or  powered  off. 

C-6,  The  computers  connected  to  the  switch  shall  be  able  to  boot  normally. 

B,  INITIAL  DERIVED  REQUIREMENTS  AND  DESIGN  CHOICES 

Derived  requirements  are  “requirements  that  are  implied  or  transformed  from 
higher-level  requirement”  [13].  Design  choices  reflect  the  outcome  of  the  analysis  of 
alternative  design  implementations.  The  development  process  typically  alternates 
between  refinement  of  requirements  (core  and  derived)  and  refinement  of  the  design 
(design  choices). 

D-1.  The  switch  shall  be  powered. 

As  the  switch  provides  an  indicator  that  dissipates  power,  the  first  and  second 
laws  of  thermodynamics  dictate  that  the  switch  consumes  power  from  either  an  internal 
or  external  source. 

DC-1.  Standard  wall  power  will  be  used  to  power  the  device. 

In  addition  to  providing  an  indicator,  the  switch  will  likely  incorporate  other 
power  consuming  electronics.  For  engineering  convenience  the  switch  will  utilize 
standard  wall  power,  such  as  can  be  found  in  a  typical  computing  environment,  to 
provide  power  while  the  device  is  powered  on.  This  is  in  lieu  of  alternative  power 
sources  such  as  battery  or  solar  power  that  have  limited  life  or  availability.  The  exact 
power  standard  will  be  determined  by  the  electrical  engineer  who  implements  the  design 
based  on  the  circuitry  used  and  the  country’s  or  countries’  electrical  standards  to  be 
supported. 
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DC-2,  Conventional  COTS  IT  and  electronics  shall  be  utilized. 


To  both  save  time  and  money,  the  deviee  will  eonsist  primarily  of  eommereial  off 
the  shelf  (COTS)  information  teehnology  (IT)  and  eleetronics  to  the  extent  that  the 
seeurity  posture  of  the  switeh  ean  be  verified.  Custom  eomponents  may  be  needed  to 
eombine  the  standard  teehnology  into  a  funetioning  deviee,  but  their  use  will  be 
minimized  where  possible. 

D-2,  Core  requirements  Cl,  C-3,  C-4,  and  C-5  are  applicable  only  when 
the  switch  is  powered  on. 

As  conventional  active  electronics  will  be  used  in  the  switch,  communication 
through  the  switch  is  only  possible  when  it  is  powered  on.  Being  able  to  select  a 
computer  and  view  the  selection  is  only  useful  when  communication  is  possible.  Note 
that  core  requirements  C-2  and  C-6  are  applicable  whether  the  switch  is  powered  on  or 
off. 

D-3,  The  switch  shall  not  allow  communication  between  the  keyboard  and 
mouse  and  any  computer  when  the  switch  is  powered  off. 

Derived  requirement  D-2  only  addresses  what  occurs  when  the  power  is  on.  The 
implied  behavior  of  no  information  flow  when  the  switch  is  off  is  likely  implemented  in 
the  default  behavior  of  the  switch. 

D-4,  As  viewed  externally,  the  switch  shall  have  a  finite  set  of  atomic  state 
transitions. 

An  atomic  state  transition  is  defined  as  a  transition  that  does  not  require  any 
intermediary  steps  to  change  states. 

D-5,  The  switch  shall  visually  present  a  finite  set  of  internal  states  of  the 
switch. 

The  set  of  internal  states  that  the  switch  can  visually  present  to  the  user  is  the 
status  of  the  attached  computer(s),  the  status  of  the  connected  keyboard  and  mouse,  and 
the  status  of  the  currently  paired  computer. 
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DC-3,  The  switch  will  support  at  least  two  computers. 

The  use  of  two  eomputers  is  the  least  costly  case. 

DC-4.  The  switch  will  present  the  internal  states  identifying  which  computer 
is  paired  with  the  attached  keyboard  and  mouse  through  the  switch. 

With  the  switch  powered  on,  the  user  shall  be  provided  a  means  to  quickly 
determine  which  CPP,  if  any,  is  currently  selected.  By  providing  a  quick  reference  for 
the  user,  the  switch  can  better  manage  the  user’s  expectation  of  which  computer  is 
currently  able  to  interact  with  the  keyboard  and  mouse.  If  the  switch  is  not  powered  on, 
the  user  will  be  unable  to  use  the  attached  keyboard  and/or  mouse  to  interact  with  any 
attached  computer.  Therefore,  when  powered  off,  the  switch  does  not  need  to  provide  a 
means  for  the  user  to  determine  which  computer  is  currently  selected. 


Figure  1 1  depicts  the  finite  set  of  atomic  states  for  a  two  computer  KVM  that  the 
user  will  see  before  and  after  pressing  a  “user  selection  device.”  The  initial  state  assumes 
the  switch  is  powered  on,  and  one  or  more  computers  are  attached  and  powered  on. 


User  Presses 
Selection 
Device  X 


Figure  1 1 .  Basic  Switch  States  as  Seen  from  the  User’s  Perspective 
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Each  state  in  Figure  1 1  is  defined  by  the  variables  in  Table  1: 


Variable  Name 

Values 

Description 

Selected  Computer 

0 

The  visual  indicator  defined  by  the  Selected  Computer 

Indicator  (X  or  Y) 

Indicator  (X  or  Y)  is  off. 

Selected  Computer 

1 

The  visual  indicator  defined  by  the  Selected  Computer 

Indicator  (X  or  Y) 

Indicator  (X  or  Y)  is  on. 

Table  1.  Basic  Switch  States’  Variables,  Values,  and  Descriptions 


DC-5,  The  main  components  of  the  switch  will  consist  of  an  IPPG,  a  finite 
number  of  CPPs,  a  switch  module,  and  a  user  interface  (see  Figure 
12). 

•  IPPG.  The  IPPG  provides  eonneetion  ports  on  the  switeh  that  allow 
a  single  keyboard  to  be  plugged  into  the  keyboard  port  and  a  single 
mouse  to  be  plugged  into  the  mouse  port. 

•  CPP.  Eaeh  CPP  provides  a  eonneetion  port  on  the  switeh  that 
allows  one  computer  to  be  plugged  in  at  a  time. 

•  Core  Switch  Module  (CSM).  The  CSM  controls  the  proeess  of 
switehing  from  one  CPP  to  another,  as  well  as,  ensures  the  security 
posture  of  the  deviee  is  maintained.  The  CSM  communieates  with  the 
IPPG,  the  CPPs,  and  the  user  interfaee.  The  module  contains  a 
processor  and  the  memory  needed  to  properly  support  the  functions  of 
the  switch. 

•  User  Interface.  The  user  interfaee  provides  the  means  by  whieh 
the  user  selects  the  desired  computer  and  determines  whieh  computer, 
if  any,  is  eurrently  selected.  The  user  interface  contains  user  selection 
devices  and  selected  computer  indieators. 
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Figure  12.  Initial  Design  Diagram 


D-6,  The  switch  shall  only  pair  with  an  active  computer  connected  to  a 
CPP. 

Only  active  connected  computers  can  provide  viable  communications.  A  non- 
connected  computer  or  computer  that  is  powered  off  will  be  unable  to  provide  the 
required  input(s)  into  the  switch. 

DC-6,  The  switch  will  indicate  which  computers  are  availahle. 

The  switch  will  provide  an  indicator  for  each  computer  displaying  its  availability 
(i.e.,  connected  and  active).  This  indicates  to  the  user  which  computer  selection  choices 
will  be  allowed.  Thus  the  User  Interface  component  of  the  switch  design  should  include 
an  “Available  Computer  Indicator”  (see  Figure  13). 


Figure  13.  Initial  Design  with  Available  Computer  Indicators 


Figure  14  depicts  the  finite  set  of  states  of  the  switch  before  and  after  connecting 
a  computer  to  the  switch.  Each  state  contains  both  an  internal  state  and  an  external  state. 
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The  internal  state,  Computer  X  Available,  allows  the  switeh  to  traek  whieh  CPP  has  an 
active  computer  connected  while  the  external  state.  Available  Computer  Indicator  X, 
allows  the  switch  to  visually  represent  to  the  user  which  CPP  is  connected  to  an  active 
computer.  The  initial  state  assumes  the  switch  is  powered  on  and  one  or  more  of  the 
computers  is  powered  on. 


Figure  14.  CPP-Basic  State  Machine 


Each  state  in  Figure  14  is  defined  by  the  variables  in  Table  2: 


Variable  Name 

Values 

Description 

Computer  X  Available 

0 

Computer  X  is  either  not  eonnected  to  CPP  X  or  it  is 

eonneeted  to  CPP  X  but  not  powered  on. 

Computer  X  Available 

1 

Computer  X  is  connected  to  CPP  X  and  is  powered  on. 

Available  Computer 

Indicator  X 

0 

Computer  X  is  either  not  connected  to  CPP  X  or  it  is 

connected  to  CPP  X  but  not  powered  on. 

Available  Computer 

Indicator  X 

1 

Computer  X  is  connected  to  CPP  X  and  is  powered  on. 

Table  2.  CPP’s  Basic  Variables,  Values,  and  Descriptions 
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D-7,  At  no  point  in  time  shall  two  CPPs  be  allowed  to  communicate 
through  the  core  switching  module. 

As  the  switch  transitions  from  state  to  state  based  on  both  internal  and  external 
state  changes,  no  data  shall  be  allowed  to  pass  between  CPPs.  Figure  1 1  represents  the 
basic  states  showing  that  at  no  time  will  the  switch  be  able  to  enter  a  state  in  which  both 
CPPs  are  actively  connected  to  the  peripheral  Keyboard  and  Mouse.  This  implies  that 
two  CPPs  will  neither  be  allowed  to  communicate  with  each  other  nor  simultaneously 
communicate  with  the  IPPG.  The  requirement  ensures  that  the  fundamental  security 
principle  of  the  switch  is  properly  supported. 

D-8,  The  switch  shall  protect  the  integrity  of  the  communications  between 
computer  selection  devices,  the  selected  computer  indicators,  the 
CPPs,  and  the  CSM  itself. 

The  computer  pairing  selected  by  the  user,  the  computer  pairing  indicated  to  the 
user,  and  the  actual  computer  pairing  must  be  identical.  The  integrity  of  the  security 
enforcing  behavior  of  the  selection  operation  must  be  maintained. 

DC-7.  Protective  Design. 

The  switch  will  use  a  protective  enclosure  with  anti-tamper  features  to  prevent 
unauthorized  access  to  security  components  and  their  communication  paths.  The  internal 
design  will  implement  the  security  principles  of  domain  separation,  process  isolation, 
resource  encapsulation,  modularity,  simplicity,  least  privilege,  secure  initialization,  safe 
failure,  and  trusted  recovery. 

C.  DESIGN  CHOICES  -  EXTERNAL  INTERFACES 

The  switch’s  external  interfaces  are  the  points  of  the  device  where  the  user  will 
either  plug-in  a  device  or  provide  input  to  the  switch.  As  previously  defined,  the  CPPs 
and  IPPG  will  consist  of  ports  that  will  enable  a  keyboard  and  mouse  attached  to  the 
IPPG  to  communicate  with  a  computer  attached  to  one  of  the  CPPs.  The  ports  could  be 
defined  by  any  number  of  standard  interfaces  in  use  today  such  as  IEEE  1394  or 
EireWire,  PS/2,  serial,  or  USB.  Any  of  these  defined  protocols  would  allow  a  mouse  and 
keyboard  to  interact  with  a  computer.  However,  the  IEEE  1394  protocol  is  overkill,  with 
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up  to  400Mb it/s,  for  the  amount  of  data  that  would  need  to  be  transferred  between  the 
keyboard  and  mouse  and  eomputer.  Both  PS/2  and  serial  interfaees  have  been  replaeed 
in  most  modern  eomputing  devices  by  the  USB  interface.  Thus  the  switch  shall  use  USB 
as  the  defined  interface  and  protocol. 

The  USB  standard  defines  a  protocol  that  will  allow  the  user  the  flexibility  to 
choose  from  the  large  number  of  standard  USB  keyboards  and  mice  available  on  the 
market  today.  The  use  of  the  USB  standard  will  also  help  to  keep  the  cost  of  designing 
and  building  the  switch  lower.  If  a  non-standard  protocol  or  interface  is  implemented  in 
the  switch,  the  designer  would  need  to  potentially  provide  a  custom  keyboard  and  mouse 
along  with  cables  to  connect  the  switch  to  the  computers.  If  the  keyboard,  mouse,  or  any 
of  the  cables  were  to  fail,  the  user  would  be  forced  to  contact  the  switch  supplier.  The 
user  would  possibly  experience  unacceptable  downtime  if  the  supplier  is  unable  to  repair 
or  replace  the  malfunctioning  equipment  in  a  timely  manner. 

DC-8.  The  external  ports  to  the  switch  will  he  defined  hy  the  USB  standard. 

In  order  to  properly  support  the  USB  ports,  a  separate  USB  function  controller 
will  be  paired  with  each  port  group,  one  for  the  IPPG  and  one  for  each  CPP.  The 
controller  paired  with  each  CPP  will  be  responsible  for  correctly  communicating  with  the 
upstream  USB  host  controller  in  the  attached  computer.  Likewise,  the  controller 
connected  to  the  IPPG  will  be  responsible  for  correctly  communicating  with  the  currently 
selected  upstream  CPP. 

DC-9.  Each  CPP  and  the  IPPG  will  he  coupled  with  a  USB  Controller. 

The  switch  will  also  need  to  provide  an  interface  by  which  the  user  can  select 
which  computer  is  allowed  to  communicate  with  the  keyboard  and  mouse.  A  collection 
of  physical  buttons  provides  the  user  the  means  to  choose  between  the  different 
computers  attached  to  the  switch.  The  buttons  will  also  provide  tactile  feedback  so  that 
the  user  knows  the  button  press  has  been  registered  by  the  switch. 
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DC-10,  The  switch  will  utilize  physical  buttons  for  computer  selection. 

An  interface  is  defined  as  the  place  at  which  independent  and  often  unrelated 
systems  meet  and  act  on  or  communicate  with  each  other.®  An  interface  can  provide 
input(s),  output(s),  or  both  between  the  systems  that  connect  at  the  interface.  The 
buttons  on  the  front  of  the  switch  allow  the  user  to  provide  input  into  the  CSM.  In  return, 
each  button  shall  be  paired  with  a  green  LED  light  that  will  illuminate  when  the  switch 
detects  a  button  press.  The  light  shall  serve  as  a  visual  representation  of  the  user’s 
current  CPP  selection. 

DC-11,  The  switch  will  utilize  a  GREEN  LED  light  to  visually  represent  the 
currently  selected  CPP, 

The  user  can  use  the  light  as  a  visual  reminder  of  which  CPP  is  currently  selected; 
however,  the  user  may  not  know  which  CPP  is  currently  connected  to  an  active  computer. 
The  switch  shall  provide  a  second  visual  indicator,  an  amber  LED  light,  to  represent  an 
active  CPP,  which  is  defined  by  an  attached  computer  that  is  powered  on. 

DC-12,  The  switch  will  utilize  an  AMBER  LED  light  to  visually  represent 
an  active  CPP, 

After  pressing  a  button  to  select  a  CPP,  the  user  can  expect  a  slight  delay  while 
the  switch  either  transitions  between  CPPs  or  initially  configures  the  path  between  the 
IPPG  and  the  selected  CPP.  To  ensure  a  positive  user  experience,  the  GREEN  LED  shall 
not  fully  illuminate  until  the  path  between  the  selected  CPP  and  the  IPPG  is  fully  setup. 

DC-13,  The  GREEN  LED  will  hlink  while  the  path  between  a  CPP  and  the 
IPPG  is  being  setup. 

Table  3  summarizes  the  LED  light  colors  and  functionality. 


®  See  http://www.merriam-webster.com/dictionarv/interface. 
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LED  Color 

Functional  Description 

Amber 

A  computer  is  attached  to  the  CPP  and  powered  on. 

Green 

Data  can  flow  from  the  IPPG  to  the  CPP 

Green 

The  CPP  is  selected,  but  the  device  will  not  allow  data  to  flow  from 

Flashing 

the  IPPG  to  the  CPP  yet. 

Table  3.  LED  Colors  and  Functional  Descriptions 


With  the  external  interfaces  clearly  defined,  an  accurate  drawing  (see  Figure  15) 
of  the  currently  defined  switch  components  is  below. 


Figure  15.  Switch  Including  Initial  Design  Choices 


D.  DESIGN  CHOICES  -  SECURITY  SUPPORTING  FUNCTIONS 

Security  supporting  functions  are  defined  as  functions  that  do  not  directly  enforce 
the  core  security  principles  but  assist  in  providing  assurance  that  the  switch  remains  in  a 
secure  state.  The  switch  will  need  to  provide  assurance  that  the  correct  CPP 
corresponding  to  the  button  pressed  by  the  user  is  communicating  with  the  peripheral 
devices  attached  to  the  IPPG.  To  provide  this  assurance,  the  buttons  will  need  to  directly 
communicate  with  and  only  with  the  CSM. 

DC-14,  The  buttons  on  the  front  panel  will  only  communicate  with  the  CSM, 

As  each  green  FED  light  is  paired  directly  with  a  single  button  to  visually 
represent  the  user’s  selection,  the  green  FED  lights  should  be  controlled  by  the  CSM  as 
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well.  The  switch  will  utilize  the  green  LED  lights  to  provide  the  user  assurance  that  the 
path  between  the  IPPG  peripheral  device(s)  and  the  selected  CPP  is  trustworthy  and 
functioning  correctly. 

DC-15,  The  green  LED  lights  will  he  controlled  hy  the  same  secure  processor 
as  the  buttons. 

The  attached  computers  will  need  access  to  a  keyboard  to  prevent  boot  errors. 
However,  when  the  switch  is  powered  off  or  powered  on  but  the  CPP  is  not  currently 
selected,  the  computer  will  not  be  able  to  communicate  with  the  keyboard  attached  to  the 
IPPG.  Thus,  the  switch  shall  couple  each  CPP  with  an  emulation  module  (EM)  that  will 
be  responsible  for  mimicking  a  generic  keyboard.  This  will  allow  any  computer  to  boot 
or  reboot  at  any  time  while  attached  to  the  switch  without  fear  of  hanging  during  the  boot 
process  due  to  a  keyboard  detection  error. 

Emulation  involves  allowing  a  computer  attached  to  a  CPP  to  logically  think  that 
a  physical  keyboard  is  plugged  in  and  available  via  the  USB  cable  even  though  a  physical 
keyboard  is  not  connected. 

DC-16,  Each  CPP  will  he  coupled  with  an  EM  designed  to  emulate  USB 
keyboard  functionality  to  ensure  any  attached  computer  can 
properly  boot. 

As  each  EM  will  need  to  operate  while  the  switch  is  powered  off,  each  EM  will 
need  to  draw  power  via  the  USB  cable  connected  to  the  attached  computer.  Once  the 
switch  is  powered  on,  the  emulator  shall  draw  its  power  from  the  switch  power  supply. 

DC-17,  Each  EM  will  be  powered  via  USB  from  the  attached  computer  while 
the  switch  is  powered  off. 

E.  DESIGN  CHOICES  -  SECURITY  ENFORCING  FUNCTIONS 

Security  enforcing  functions  are  defined  as  functions  that  directly  affect  or 
determine  the  security  posture  of  the  device.  The  components  of  the  switch  that  have  the 
responsibility  of  ensuring  the  switch  remains  in  a  secure  state  comprise  the  trusted 
computing  base  (TCB).  The  TCB  consists  of  the  hardware,  software,  and  firmware  that 
is  responsible  for  enforcing  the  security  policy  [13]. 
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The  USB  protocol  defines  the  subclass  field  to  report  if  an  HID  supports  a  boot 
interface.  The  IPPG  can  read  this  field  during  the  initial  setup  phase  that  occurs  when  the 
switch  is  powered  on  and  the  IPPG  detects  a  USB  peripheral  on  the  Keyboard  and/or 
Mouse  port.  Once  the  IPPG  determines  the  value  of  the  subclass  field,  the  IPPG  will 
either  allow  further  communications,  if  the  subclass  equals  1,  or  disallow  further 
communication  to  or  from  the  non-bootable  HID(s)  connected  to  the  front  port(s)  of  the 
switch. 

DC-18,  The  IPPG  will  be  coupled  with  a  secure  module  to  ensure  that  only 
USB  packets  originating  from  a  HID  are  transmitted  through  the 
switch. 

The  IPPG  can  further  use  the  USB  protocol’s  bInterfaceProtocol  field  to 
determine  if  the  bootable  HID  is  a  keyboard,  a  mouse,  or  some  other  HID.  The  HID 
should  set  the  field  to  “1”  for  a  keyboard,  “2”  for  a  mouse,  or  “0”  for  other  during  the 
initial  USB  Setup  process  with  the  IPPG.  Thus,  assuming  the  HID  is  trusted  to  set  this 
field  correctly,  the  IPPG  will  be  able  to  block  communications  from  a  non-HID,  a  mouse 
attached  to  the  keyboard  port,  and/or  a  keyboard  attached  to  the  mouse  port  as  required 
by  the  core  requirement  C-3.  In  addition,  the  IPPG  will  send  a  signal  to  the  CSM 
indicating  the  status  of  “Keyboard  Available.”  The  basic  states  for  the  IPPG  can  be  seen 
in  Figure  16. 
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Figure  16.  IPPG-Basic  State  Maehine 


Figure  17  then  illustrates  the  error  state  that  the  switeh  will  transition  to  when  a 
non-HlD  deviee  is  deteeted  on  the  Keyboard  Port,  the  Mouse  Port,  or  both.  The  same 
error  state  will  also  be  utilized  for  when  a  keyboard  is  conneeted  to  the  mouse  port  and/or 
a  mouse  is  connected  to  the  keyboard  port.  To  ensure  the  user  is  aware  that  the  IPPG  has 
triggered  the  error  state,  the  IPPG  will  utilize  an  error  indicator  light  on  the  front  of  the 
switch.  The  error  indicator  light  will  be  a  red  LED  located  near  the  keyboard  and  mouse 
ports  of  the  IPPG  (see  Figure  18). 
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Each  state  in  Figure  16  and  Figure  17  is  defined  by  the  variables  in  Table  4: 


Variable 

Name 

Value 

Description 

Keyboard 

Available 

0 

A  keyboard  is  not  connected  to  the  keyboard  port  of  the  IPPG. 

Keyboard 

Available 

1 

A  keyboard  is  connected  to  the  keyboard  port  of  the  IPPG. 

Mouse 

Available 

0 

A  mouse  is  not  connected  to  the  mouse  port  of  the  IPPG. 

Mouse 

Available 

1 

A  mouse  is  connected  to  the  mouse  port  of  the  IPPG. 

IPPG  Error 

0 

The  IPPG  is  not  in  the  ERROR  state.  [LIGHT  OFF] 

IPPG  Error 

1 

The  IPPG  has  detected  either  a  Non-HID  connected  to  either  the  mouse 

port,  keyboard  port  or  both,  a  keyboard  is  connected  to  the  mouse  port, 

or  a  mouse  is  connected  to  the  keyboard  port.  [LIGHT  ON] 

Table  4.  IPPG’s  Basic  Variables,  Values,  and  Deseriptions 
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Figure  18  displays  the  final  design  of  the  switch  after  all  components  have  been 
defined  with  Table  5  describing  the  three  different  colored  LEDs. 


Figure  18.  Switch  Design-Final  Iteration 


Similar  to  the  IPPG,  the  CPP  is  responsible  for  protecting  the  switch  from  USB 
packets  sent  from  any  of  the  attached  computers  that  are  not  intended  for  a  HID.  The 
CPP  will  monitor  the  USB  traffic  coming  from  the  attached  computer  and  only  allow 
USB  Setup  packets  (Figure  5)  or  USB  IN  packets  (Figure  3). 

DC-19,  The  CPP  will  be  coupled  with  a  secure  module  to  ensure  only  USB 
packets  designated  for  an  HID  are  transmitted  through  the  switch. 

To  continue  to  ensure  a  positive  user  experience,  the  switch  will  need  to  provide 
visual  indication  for  when  a  CPP  has  entered  into  the  error  state  due  to  detected  problems 
with  any  incoming  USB  packets.  As  each  CPP  is  already  in  control  of  an  Available 
Computer  Indicator,  the  Available  Computer  Indicator  will  flash  on  and  off  while  in  the 
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error  state.  The  error  state  ean  only  be  eleared  by  either  diseonneeting  the  eomputer 
eausing  the  error  eondition  or  resetting  the  switeh  through  a  power  eyele. 


LED  Color 

Functional  Description 

Amber  -  On 

A  computer  is  attached  to  the  CPP  and  powered  on. 

Amber  -  Off 

A  computer  is  not  attached  to  the  CPP  or  not  powered  on. 

Amber  -  Flashing 

The  CPP  has  detected  a  USB  packet  destined  for  a  non-HID  and  has 

entered  the  error  state,  disallowing  further  data  from  the  computer 

attached  to  the  CPP  from  flowing  to  the  CSM. 

Green  -  On 

The  CPP  is  selected  and  the  path  between  the  selected  CPP  and  the  IPPG 

is  logically  connected. 

Green  -  Of 

The  CPP  is  not  selected  and  no  logical  path  exists  between  the  CPP  and 

the  IPPG. 

Green  -  Flashing 

The  CPP  is  selected,  but  the  switch  is  still  establishing  the  connection 

between  the  selected  CPP  and  the  IPPG. 

Red  -  On 

The  IPPG  is  in  the  Error  State. 

Table  5.  LED  Colors  and  Funetional  Deseriptions-Final 


DC-20,  The  Computer  Available  Indicator  will  flash  to  denote  an  error 
condition  detected  by  the  CPP, 

Figure  19  adds  both  an  error  eondition  to  eaeh  CPP  as  well  as  a  signal  to  the  CSM 
if  a  eomputer  is  or  is  not  eonneeted  to  the  CPP.  When  the  error  eondition  is  detected,  a 
new  status  for  the  Available  Computer  Indicator  is  also  added,  see  Table  6. 
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Figure  19.  CPP  State  Maehine  Ineluding  Error  Handling  State 


Table  6  defines  the  new  values  available  to  CPP  X’s  variables  with  the  addition  of 
the  error  state: 


Variable  Name 

Value 

Description 

Available  Computer 

2 

CPP  X  has  detected  an  error  caused  by  the  connected 

Indicator  X 

Computer  X. 

CPP  X  Error 

0 

CPP  X  is  not  in  the  ERROR  state. 

CPP  X  Error 

1 

CPP  X  has  detected  an  USB  Packet  originating  from 

Computer  X  to  be  a  non  USB  Setup  or  USB  IN  packet. 

Table  6.  CPP  with  Error  State  Variables,  Values,  and  Deseriptions 


With  the  external  interfaces  properly  secured,  the  switch  will  need  to  ensure  the 
CSM  only  connects  the  currently  selected  computer  with  the  attached  keyboard  and 
mouse.  The  CSM  will  be  responsible  for: 

•  Ensuring  only  the  currently  selected  computer  is  allowed  to  communicate 
with  the  attached  keyboard  and  mouse. 

•  Providing  a  secure  transition  state  to  ensure  data  is  not  inadvertently  sent 
to  the  previously  selected  CPP. 
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To  ensure  the  CSM  is  able  to  correctly  initiate,  maintain,  and  transition 
connections  between  any  of  the  connected  computers,  the  CSM  will  need  to  be  aware  of 
each  CPP’s  state.  Specifically,  the  CSM  will  need  to  know  the  status  of  “Computer  X 
Available”  from  each  CPP.  If  “Computer  X  Available”  is  set  to  0,  then  the  CSM  shall 
ignore  any  user  pressing  Button  X.  However,  if  “Computer  X  Available”  is  set  to  1,  then 
the  CSM  will  begin  the  process  of  allowing  the  attached  Keyboard  and/or  Mouse  to 
connect  to  the  computer  requested  by  the  user. 

DC-21,  The  CSM  will  consist  of  a  secure  module  responsible  for  ensuring  the 
correct  CPP  is  allowed  to  communicate  with  the  IPPG, 

DC-22.  The  CSM  will  ignore  any  user  pressing  Button  X  if  “Computer  X 
Available”  is  set  to  0. 
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Figure  20  visually  represents  the  current  state  machine  of  the  CSM. 


Figure  20.  CSM  Basic  State  Machine 


46 


Table  7  provides  the  CSM  variables,  values,  and  descriptions  not  previously 
defined: 


Variable  Name 

Value 

Description 

Selected 

Computer 

Indicator  X 

0 

The  light  is  off.  Computer  X  is  not  selected. 

Selected 

Computer 

Indicator  X 

1 

The  light  is  blinking.  Computer  X  is  selected,  but  the  data  path 

between  CPP  X  and  the  Keyboard  and  Mouse  has  not  been 

established. 

Selected 

Computer 

Indicator  X 

2 

The  light  is  on.  Computer  X  can  fully  communicate  with  the 

attached  Keyboard  and  Mouse. 

Computer 

Selected 

0 

The  user  has  not  pressed  the  “User  Selection  Device  X.” 

Computer 

Selected 

X 

The  user  has  pressed  the  “User  Selection  Device  X.” 

Keyboard 

Available 

0 

The  IPPG  has  not  yet  reported  a  keyboard  connected  to  the 

keyboard  USB  port  or  has  reported  the  keyboard  disconnected 

from  keyboard  USB  port. 

Keyboard 

Available 

1 

The  IPPG  has  reported  a  keyboard  connected  to  the  keyboard 

USB  port. 

Table  7.  CSM’s  Variables,  Values,  and  Descriptions 


The  CSM  will  need  to  provide  a  secure  transition  state  or  set  of  states.  Figure  21, 
which  allows  the  IPPG  and  the  attached  keyboard  and/or  mouse  to  properly  switch  from 
interacting  with  one  CPP  to  interacting  with  a  different  without  allowing  data  intended 
for  the  previously  selected  CPP  to  reach  the  newly  selected  CPP. 
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DC-23.  The  CSM  will  provide  a  secure  transition  state  or  set  of  states 
allowing  the  IPPG  to  disconnect  from  the  previously  selected  CPP 
and  connect  to  the  newly  selected  CPP, 

The  CSM  will  enter  the  transition  state  or  states  when  the  user  presses  one  of  the 
buttons  on  the  front  of  the  switeh.  The  CSM  will  immediately  cause  the  “Selected 
Computer  Indicator”  to  begin  blinking,  providing  a  visual  indicator  to  the  user  that  the 
switch  is  in  the  process  of  connecting  the  desired  CPP  to  the  IPPG.  If  a  different  CPP 
was  previously  selected,  the  CSM  will  also  immediately  stop  all  communications 
between  the  previously  selected  CPP  and  the  IPPG.  In  addition,  the  CSM  will  send  the 
IPPG  a  “Flush”  command  informing  the  IPPG  that  it  needs  to  clear  the  buffers  contained 
in  the  attached  USB  Keyboard  and  Mouse.  The  CSM  will  then  wait  for  the  IPPG  to 
respond  that  the  command  completed  successfully  or  the  timeout  period  has  been 
exceeded.  If  the  command  times  out,  the  CSM  will  turn  off  the  “Selected  Computer 
Indicator  X,”  signaling  that  the  user  will  need  to  reselect  the  CPP  or  select  a  different 
CPP.  If,  however,  the  command  succeeds,  the  CSM  will  allow  the  regular  USB  SETUP 
process  to  occur  between  the  selected  CPP  and  the  keyboard/mouse,  “q6”  in  Figure  21. 
Once  the  Setup  process  has  completed,  the  CSM  will  continuously  illuminate  the 
“Selected  Computer  Indicator  X”  until  the  switch  is  powered  off,  the  computer  connected 
to  CPP  X  is  disconnected,  or  the  user  selects  a  different  CPP  with  which  to  interact. 

DC-24,  The  CSM  will  send  a  “Flush”  command  to  the  IPPG  as  part  of  the 
secure  transition  state  or  set  of  states, 

DC-25.  The  CSM  will  wait  for  the  IPPG  to  confirm  completion  of  the 
“Flush”  command  before  allowing  the  newly  selected  CPP  to  he 
connected  to  the  IPPG  or  time  out  reverting  hack  to  the  “none 
selected”  state. 
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Figure  21  depicts  the  state  machine  of  the  CSM  to  include  the  transition  states. 


Figure  21 .  CSM  State  Machine  Including  Transition  States 
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Table  8  provides  the  updated  CSM  variables,  values,  and  deseriptions  not 
previously  defined: 


Variable 

Value 

Description 

Name 

Flush 

0 

The  “Flush”  command  has  not  been  issued,  has  completed,  or  has 

timed  out. 

Flush 

1 

The  “Flush”  command  is  currently  running. 

Table  8.  CSM’s  Updated  Variables,  Values,  and  Deseriptions 


As  part  of  the  transition  states,  the  IPPG,  Figure  22,  is  responsible  for  ensuring 
the  buffers  of  the  attaehed  keyboard  and  mouse  are  cleared  before  a  new  connection  can 
be  established  with  a  CPP  and  reporting  back  to  the  CSM  once  the  process  is  complete. 
The  IPPG  will  use  the  same  “Flush”  command  whenever  a  keyboard  or  mouse  is 
plugged-in  and  detected  by  the  IPPG  to  ensure  a  clean  start  state  for  the  device’s  buffers 
before  alerting  the  CSM  that  a  keyboard  is  available.  The  IPPG  will  use  the  same 
“Keyboard  Available”  signal  to  alert  the  CSM  when  the  “Flush”  command  has 
completed. 

DC-26,  The  IPPG  will  ensure  the  buffers  of  the  attached  keyboard  and 
mouse  are  properly  flushed  insuring  residual  data  is  removed. 

DC-27,  The  IPPG  will  report  back  to  the  CSM  once  the  “Flush”  command 
has  completed  successfully. 
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Figure  22  depicts  the  state  machine  of  the  IPPG  with  the  Flush  states. 


Figure  22.  IPPG  State  Machine  Including  Flush  Command  States 
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Table  9  provides  the  updated  IPPG’s  variables,  values,  and  deseriptions  not 
previously  defined: 


Variable  Name 

Value 

Description 

Flush  Keyboard 

0 

The  “Flush”  command  has  not  been  issued  or  has  completed. 

Flush  Keyboard 

1 

The  “Flush”  command  is  currently  running. 

Flush  Mouse 

0 

The  “Flush”  command  has  not  been  issued  or  has  completed. 

Flush  Mouse 

1 

The  “Flush”  command  is  currently  running. 

Table  9.  IPPG’s  Updated  Variables,  Values,  and  Deseriptions 
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The  following  diagrams  (Figure  23  and  Figure  24)  represent  the  state  diagram  of  the  CSM  of  a  2-port  keyboard/mouse 
switeh.  A  2-port  switeh  would  allow  at  most  2  computers  to  share  a  single  keyboard  and  mouse.  These  diagrams  were  split 
and  references  were  used  to  aid  insertion  into  this  document  as  well  as  prevent  transition  lines  from  overlapping. 


Figure  23.  (A)  CSM  State  Machme-2  CPPs 
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Figure  24.  (B)  CSM  State  Machine-2  CPPs 
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VII.  ANALYSIS,  CONCLUSION,  AND  FUTURE  RESEARCH 


A.  ANALYSIS 

In  this  paper,  our  goal  was  to  define  the  requirements  of  a  highly  robust  peripheral 
sharing  switch  for  HIDs  and  to  show,  at  a  high  level,  a  secure  design.  Each  requirement 
was  examined  for  security  implications  and  derived  requirements  or  design  choices  were 
made  to  adequately  cover  potential  security  flaws. 

The  requirements  and  the  data  flow  diagrams  included  in  Appendix  B  were 
instrumental  in  defining  the  state  diagrams  for  the  main  components  (IPPG,  CPP,  and 
CSM)  of  the  switch.  The  three  state  diagrams  Figure  19,  Figure  22,  and  Figure  23/Figure 
24  combine  to  create  the  complete  state  diagram  for  the  highly  robust  peripheral  sharing 
switch.  Each  component  evolved  as  derived  requirements  and  design  choices  combined 
to  describe  the  data  flows  between  the  IPPG  and  the  CSM,  the  CSM  and  each  CPP,  and 
the  IPPG  and  each  CPP.  Once  internal  and  external  data  flows  for  each  component  were 
clearly  defined,  the  state  diagrams  were  developed  to  clearly  show  the  state  of  each 
component  at  any  given  time. 

The  state  diagram  for  the  CSM  (Figure  23  and  Figure  24),  with  the  help  of  the 
state  transition  table  (Table  10),  clearly  show  that  at  no  time  can  the  switch  enter  into  a 
state  where  more  than  one  CPP  is  communicating  with  the  IPPG  at  the  same  time  and  a 
flush  command  is  always  issued  before  a  connection  is  allowed  between  a  CPP  and  the 
IPPG. 

The  first  two  requirements  are  shown  to  be  true  in  the  CSM  state  machine 
depicted  in  Figure  23  and  Figure  24.  That  is,  no  state  is  capable  of  allowing  the 
“Computer  Selected”  to  be  both  X  and  Y,  and  the  states  ql2,  ql3,  q22,  and  q23  are  only 
accessible  if  the  CSM  first  transitions  through  q6,  q7,  ql6,  or  ql7.  The  third  requirement 
will  be  shown  to  hold  true  with  the  combination  of  the  CSM  state  machine  and  the 
implementation  of  the  CSM. 
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Table  10  is  the  state  transition  table  for  the  CSM  when  two  eomputers  (X  and  Y)  are  eonneeted  to  the  switeh.  The  first 
eolumn  eontains  the  states  and  the  first  row  eontains  the  events  assoeiated  with  CSM.  The  intersection  of  each  row  and 
column  lists  the  next  state,  if  the  event  is  valid  for  the  current  state,  and  any  associated  actions  that  will  occur  upon 
transitioning  to  the  next  state.  Table  1 1  contains  the  legend  that  maps  the  actions  in  Table  10  to  their  descriptions. 


Events 

User 

User 

IPPG 

IPPG 

CPPX 

CPPX 

CPP  Y 

CPP  Y 

Presses 

Presses 

Reports 

Reports 

Reports 

Reports 

Reports 

Reports 

Flush 

Selection 

Selection 

Keyboard 

Keyboard 

Computer 

Computer 

Computer 

Computer 

Command 

Flush 

Flush 

USB  Setup 

Device 

Device 

is 

is  Not 

Xis 

X  is  Not 

Y  is 

Y  is  Not 

Sent  to 

Command 

Command 

Process 

State 

X 

Y 

Available 

Available 

Available 

Available 

Available 

Available 

IPPG 

Times  Out 

Successful 

Completed 

qO 

qO 

qO 

ql 

qO 

q2 

qO 

q2 

qO 

- 

- 

- 

- 

ql 

ql 

ql 

- 

qO 

ql4 

ql 

ql5 

ql 

- 

- 

- 

- 

q2 

q2 

q2 

ql4 

q2 

- 

qO 

q4 

q2 

- 

- 

- 

- 

q3 

q3 

q3 

ql5 

q3 

q4 

q3 

- 

qO 

- 

- 

- 

- 

q4 

q4 

q4 

q5 

q4 

- 

q3 

- 

q2 

- 

- 

- 

- 

q5 

q6/A 

q7/B 

- 

q4 

- 

ql5 

- 

ql4 

- 

- 

- 

- 

q6 

q6 

q6 

- 

q4/C 

- 

ql5/C 

- 

ql6 

q8/E 

- 

- 

- 

q7 

q7 

q7 

- 

q4/D 

- 

ql7 

- 

ql4/D 

q9/E 

- 

- 

- 

q8 

q8 

q8 

- 

q4/C 

- 

ql5/C 

- 

ql8 

- 

q5/C 

qlO/F 

- 

q9 

q9 

q9 

- 

q4/D 

- 

ql9 

- 

ql4/D 

- 

q5/D 

qll/F 

- 

qlO 

qlO 

- 

q4/C 

- 

ql5/C 

- 

q20 

- 

- 

- 

ql2/G 

qll 

qll 

qll 

- 

q4/D 

- 

q21 

- 

ql4/D 

- 

- 

- 

ql3/H 

ql2 

ql2 

q7/C,B 

- 

q4/I 

- 

ql5/C 

- 

q22 

- 

- 

- 

- 

ql3 

q6/D,A 

ql3 

- 

q4/J 

- 

q23 

- 

ql4/D 

- 

- 

- 

- 

ql4 

ql6/A 

ql4 

- 

q2 

- 

ql 

q4 

- 

- 

- 

- 

- 

ql5 

ql5 

ql7/B 

- 

q3 

q4 

- 

- 

ql 

- 

- 

- 

- 

ql6 

ql6 

ql6 

- 

q2/C 

- 

ql/C 

q6 

- 

ql8/E 

- 

- 

- 
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Events 

User 

User 

IPPG 

IPPG 

CPPX 

CPPX 

CPP  Y 

CPP  Y 

Presses 

Presses 

Reports 

Reports 

Reports 

Reports 

Reports 

Reports 

Flush 

Selection 

Selection 

Keyboard 

Keyboard 

Computer 

Computer 

Computer 

Computer 

Command 

Flush 

Flush 

USB  Setup 

Device 

Device 

is 

is  Not 

X  is 

X  is  Not 

Y  is 

Y  is  Not 

Sent  to 

Command 

Command 

Process 

State 

X 

Y 

Available 

Available 

Available 

Available 

Available 

Available 

IPPG 

Times  Out 

Successful 

Completed 

ql7 

ql7 

ql7 

- 

q3/D 

q7 

- 

- 

ql/D 

ql9/E 

- 

- 

- 

ql8 

ql8 

ql8 

- 

q2/C 

- 

ql/C 

q8 

- 

- 

ql4/C 

q20/F 

- 

ql9 

ql9 

ql9 

- 

q3/D 

q9 

- 

- 

ql/D 

- 

ql5/D 

q21/F 

- 

q20 

q20 

q20 

- 

q2/C 

- 

ql/C 

qlO 

- 

- 

- 

- 

q22/G 

q21 

q21 

q21 

- 

q3/D 

qll 

- 

- 

ql/D 

- 

- 

- 

q23/H 

q22 

q22 

q22 

- 

q2/C 

- 

ql/C 

ql2 

- 

- 

- 

- 

- 

q23 

q23 

q23 

- 

q3/D 

ql3 

- 

- 

ql/D 

- 

- 

- 

- 

Table  10.  CSM  State  Transition  Table 
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A 

User  Selection  Indicator  X  begins  Flashing. 

B 

User  Selection  Indicator  Y  begins  Flashing. 

C 

User  Selection  Indicator  X  is  Off. 

D 

User  Selection  Indicator  Y  is  Off. 

E 

Flush  Command  timer  started. 

F 

The  USB  Setup  Process  is  allowed  to  commence. 

G 

User  Selection  Indicator  X  is  On. 

H 

User  Selection  Indicator  Y  is  On. 

Table  1 1 .  CSM  State  Transition  Table  Aetions 


On 

The  User  has  pressed  the  User  Selection  Device  for  the  CPP  and  the  path 

between  the  selected  CPP  and  the  IPPG  is  logically  connected. 

Off 

The  User  has  not  pressed  the  User  Selection  Device  for  the  CPP  or  has 

selected  a  different  CPP.  Therefore,  no  logical  path  exists  between  the  CPP 

and  the  IPPG. 

Flashing 

The  User  has  pressed  the  User  Selection  Device  designating  the  CPP  is 

selected,  but  the  switch  is  still  establishing  the  connection  between  the 

selected  CPP  and  the  IPPG. 

Table  12.  User  Selection  Indicator  Functional  Descrip tions-Final 

B,  CONCLUSION 

The  design  process  of  a  secure  keyboard/mouse  Switch  led  to  the  establishment  of 
the  following  fundamental  requirements: 

1 .  Only  a  single  computer  connected  to  the  switch  is  allowed  to 
communicate  with  the  attached  keyboard  and  mouse  at  any  given  point  in 
time. 

2.  A  “Flush”  command  must  precede  any  connection  between  an  attached 
computer  and  the  keyboard  and  mouse. 

3.  No  two  CPPs  are  allowed  to  communicate  with  each  other. 
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An  inference  can  also  be  made  that  by  properly  implementing  the  requirements 
defined  above  the  implementer  will  ensure  that  no  data  from  any  CPP  will  be  allowed  to 
pass  through  to  any  other  CPP. 

The  idea  of  a  secure  keyboard/mouse  switch,  at  first  blush,  appears  to  be  simple 
and  straightforward  system.  However,  the  complex  set  of  states  as  shown  in  Figure  23 
and  Figure  24  that  needed  to  be  developed  and  understood  to  achieve  the  security  goals 
show  that  the  system  is  neither  simple  nor  straightforward. 

In  the  course  of  developing  these  requirements,  certain  assumptions  had  to  be 
made  to  insure  the  security  of  the  system.  These  assumptions  were: 

1 .  The  attached  keyboard  will  comply  with  the  “Flush”  command. 

2.  The  switch  will  be  able  to  identify  the  peripheral  USB  devices  attached  to 
the  switch  as  a  keyboard  and  mouse. 

3.  The  switch  will  be  able  to  identify  all  communications  between  the 
peripheral  devices  and  the  computers  as  legitimate  USB  traffic  intended 
for  or  from  a  HID. 

C.  FUTURE  RESEARCH 

The  process  of  designing  and  building  a  secure  keyboard  and  mouse  switch 
begins  with  the  definition  of  requirements  and  mapping  those  requirements  to 
rudimentary  state  machines.  The  independent  review  provided  here  establishes  some  of 
the  assurances,  but  the  next  step  is  mapping  the  assurances  to  an  implementation  of  the 
design.  The  state  machines  should  also  go  through  a  more  formal  analysis  to  ensure  the 
appropriate  level  of  assurance  required  by  the  user.  This  analysis  can  be  performed  by 
tools  such  as  Harel  Statecharts^  or  Alloy*  for  semiformal  analysis  or  for  a  formal 
analysis,  ACL2.9  The  hardware  used  in  the  implementation  of  the  design  should  also  be 
tested  for  high  robustness. 

7  Harel,  David.  “Statecharts:  A  visual  formalism  for  complex  systems.”  Science  of  Computer 
Programming  %  (1987):  231-274.  PDF. 

8  Jackson,  Daniel.  “Alloy:  a  lightweight  object  modeling  notation.”  ACM  Transaction  on  Software 
Engineering  and  Methodology  1 1.2  (2002).  PDF. 

9  Kaufmann,  Matt,  and  Moore,  J.  Strother.  ^"Industrial  Proofs  with  ACL2.  ”  PDF  File. 


59 


To  be  a  true  KVM  switeh,  the  switeh  should  also  be  able  to  aceurately  display  any 
of  the  connected  computers  on  a  single  video  display  device.  The  uniqueness  of  the 
video  signal  may  introduce  further  requirements  that  will  need  to  be  added  to  the  already 
defined  requirements  in  this  paper. 

Along  with  the  video  signal,  there  are  other  technologies  currently  in  use  by 
commercially  available  KVM  switches  that  may  be  of  interest  to  further  the  advancement 
of  a  secure  KVM.  These  technologies  include  KVM  over  IP  and  Multiuser  KVM 
switches.  KVM  over  IP  switches  essentially  increase  the  distance  that  a  user  can  be  from 
the  physical  computer.  These  switches  involve  two  separate  hardware  devices  that 
connect  via  a  standard  network  cable  (i.e.,  CAT5).  The  main  switch  device  plugs  directly 
into  the  computers  via  USB  cables  and  video  cables,  and  when  compared  to  the  design 
described  in  this  paper  would  include  the  CPPs  and  the  CSM.  The  secondary  device 
would  connect  to  the  keyboard,  mouse,  and  video  display  device  and  provide  a  means  for 
the  user  to  select  from  which  computer  to  send  and  receive  date.  The  secondary  device 
would  also  provide  a  means  to  display  which  computer  is  selected,  and  may  or  may  not 
include  indicators  to  show  which  computers  are  selectable.  In  reference  to  our  design, 
the  secondary  device  would  include  the  IPPG,  buttons,  and  any  indicator  lights. 
Multiuser  KVM  switches  are  generally  KVM  over  IP  switches  that  have  the  added 
functionality  to  allow  more  than  one  console  or  user  access  to  the  attached  computers 
through  the  switch. 
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APPENDIX  A:  COMBINED  REQUIREMENTS 


C-1,  The  switch  shall  enable  communication  hetween  a  keyboard  and  a 
mouse  and  at  most  one  computer  connected  to  the  switch  at  a  given 
point  in  time. 

C-2,  The  switch  shall  not  allow  communications  with  peripheral  devices 
connected  to  the  IPPG  other  than  a  keyboard  on  the  keyboard  port 
and  a  mouse  on  the  mouse  port. 

C-3.  The  switch  shall  allow  the  user  to  select  the  computer  to  be  paired 
with  the  attached  keyboard  and  mouse. 

C-4.  The  switch  shall,  indicate  which  computer,  if  any,  is  paired  with  the 
attached  keyboard  and  mouse. 

C-5.  The  computers  connected  to  the  switch  shall  be  able  to  boot  normally. 

D-1.  The  switch  shall  be  powered. 

DC-1.  Standard  wall  power  will  be  used  to  power  the  device. 

DC-2.  Conventional  COTS  IT  and  electronics  shall  be  utilized. 

D-2.  Core  requirements  Cl,  C-3,  C-4,  and  C-5  are  applicable  only  when 
the  switch  is  powered  on. 

D-3.  The  switch  shall  not  allow  communication  between  the  keyboard  and 
a  mouse  and  any  computer  when  the  switch  is  powered  off. 

D-4.  As  viewed  externally,  the  switch  shall  have  a  finite  set  of  atomic  state 
transitions. 

D-5.  The  switch  shall  visually  present  a  finite  set  of  internal  states  of  the 
switch. 

DC-3.  The  switch  will  support  at  least  two  computers. 

DC-4.  The  switch  will  present  the  internal  states  identifying  which  computer 
is  paired  through  the  switch. 
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DC-5,  The  main  components  of  the  switch  will  consist  of  an  IPPG,  a  finite 
number  of  CPPs,  a  switch  module,  and  a  user  interface  (see  Figure 
12). 

D-6,  The  switch  shall  only  pair  with  an  active  computer  connected  to  a 
CPP. 

DC-6,  The  switch  will  indicate  which  computers  are  availahle, 

D-7.  At  no  point  in  time  shall  two  CPPs  he  allowed  to  communicate 
through  the  core  switching  module. 

D-8,  The  switch  shall  protect  the  integrity  of  the  communications  between 
computer  selection  devices,  the  selected  computer  indicators,  the 
CPPs,  and  the  CSM  itself. 

DC-7,  Protective  Design, 

DC-8,  The  external  ports  to  the  switch  will  be  defined  by  the  USB  standard. 

DC-9,  Each  CPP  and  the  IPPG  will  be  coupled  with  a  USB  Controller. 

DC-10,  The  switch  will  utilize  physical  buttons  for  computer  selection, 

DC-11.  The  switch  will  utilize  a  GREEN  LED  light  to  visually  represent  the 
currently  selected  CPP, 

DC-12.  The  switch  will  utilize  an  AMBER  LED  light  to  visually  represent 
an  active  CPP. 

DC-13.  The  GREEN  LED  will  blink  while  the  path  between  a  CPP  and  the 
IPPG  is  setup, 

DC-14,  The  buttons  on  the  front  panel  will  only  communicate  with  the  CSM 

DC-15,  The  green  LED  lights  will  be  controlled  by  the  same  secure 
processor  as  the  buttons. 

DC-16,  Each  CPP  will  be  coupled  with  an  EM  designed  to  emulate  USB 
keyboard  functionality  to  ensure  any  attached  computer  can 
properly  boot. 
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DC-17.  Each  EM  will  be  powered  via  USB  from  the  attached  computer  while 
the  switch  is  powered  off, 

DC-18,  The  IPPG  will  be  coupled  with  a  secure  module  to  ensure  only  USB 
packets  originating  from  a  HID  are  transmitted  through  the  switch. 

DC-19,  The  CPP  will  be  coupled  with  a  secure  module  to  ensure  only  USB 
packets  designated  for  a  HID  are  transmitted  through  the  switch, 

DC-20,  The  Computer  Available  Indicator  X  will  flash  to  denote  an  error 
condition  detected  by  the  CPP  X, 

DC-21.  The  CSM  will  consist  of  a  secure  module  responsible  for  ensuring  the 
correct  CPP  is  allowed  to  communicate  with  the  IPPG, 

DC-22.  The  CSM  will  ignore  any  user  pressing  Button  X  if  “Computer  X 
Available”  is  set  to  0, 

DC-23,  The  CSM  will  provide  a  secure  transition  state  or  set  of  states 
allowing  the  IPPG  to  disconnect  from  the  previously  selected  CPP 
and  connect  to  the  newly  selected  CPP. 

DC-24,  The  CSM  will  send  a  “Flush”  command  to  the  IPPG  as  part  of  the 
secure  transition  state  or  set  of  states, 

DC-25,  The  CSM  will  wait  for  the  IPPG  to  affirm  completion  of  the  “Flush” 
command  before  allowing  the  newly  selected  CPP  to  be  connected  to 
the  IPPG  or  time  out  reverting  back  to  the  “none  selected”  state, 

DC-26.  The  IPPG  will  ensure  the  buffers  of  the  attached  keyboard  and 
mouse  are  properly  flushed  to  insure  residual  data  is  removed, 

DC-27.  The  IPPG  will  report  back  to  the  CSM  once  the  “Flush”  command 
has  completed  successfully. 


63 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


64 


APPENDIX  B:  DATA  FLOW  DIAGRAMS 


Figure  25  depicts  the  potential  data  flows  while  the  switch  is  powered  on  with  a 
keyboard  connected  to  the  keyboard  port,  a  mouse  connected  to  the  mouse  port,  and 
computer  X  is  powered  on  and  connected  to  CPP  X. 


Switch  Boundary 

Figure  25.  Potential  Data  Flows  with  Switch  Powered  On 
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Figure  26  shows  the  data  flows  available  through  the  switch  while  the  switch  is 
powered  off.  Computer  X  will  provide  power  over  USB  to  the  Emulator  Module,  which 
in  turn  will  emulate  a  generic  keyboard  allowing  Computer  X  to  boot  properly. 


Switch  Boundary 


Figure  26.  Potential  Data  Flows  with  Switch  Powered  Off 
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Figure  27  shows  the  data  flows  available  through  the  switch  when  the  IPPG  enters 
the  error  state.  The  IPPG  will  deny  any  further  USB  packets  from  flowing  from  the 
attached  peripheral  devices  into  the  CSM,  thus  preventing  the  USB  packets  from 
potentially  reaching  the  currently  selected  computer.  While  in  the  error  state  the  IPPG 
will  turn  on  the  Red  LED. 


Switch  Boundary 


Figure  27.  Potential  Data  Flows-IPPG  Module  Error 
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Figure  28  shows  the  data  flows  available  through  the  switch  when  a  CPP  enters 
the  error  state.  The  CPP  will  report  that  the  computer  is  no  longer  available  to  the  CSM 
and  deny  any  further  USB  packets  from  flowing  from  the  attached  computer  into  the 
CSM,  thus  preventing  the  USB  packets  from  potentially  reaching  the  connected 
peripheral  devices.  While  in  the  error  state  the  CPP  will  cause  the  Amber  LED  to  blink. 


r 


Visual  « 
■Indicator 


Visual 

Indicator 


I  \  a  ^ 

User  |_  ]  C 

Interactiort  v  I 

V 

*  ^  ^Iton  X  ■— 


0)  Computer  X 
Unattactied 


Off 


V 


Keyboard 


Core 

Switch 

Module 


USB 

Packdl 


Mouse 


USB 

icket! 


Visual 

Indicator 


4^ 

1 
1 


USB 

Function 

Controller 


ij 

Packets 


0)  Keyboard 
Unavailable 
1 )  Ke^oard 
Available 


USB 

Packets 


f^D  LED 
Light 


0)  Light 
•it)  Light  On 


iAvaik 


IPPG 

Module 


T 

USB 

acket 

± 


1 

Amber 
LED  Light 

X 

Light  X  Blinking" 

CPP 

'  Module  X 

USB  ^ 
^^Packets^^ 

USB 

Function 

Controller 

-  USB  ^ 
^^Packets^^ 

1 

Computer 

X 

USB 

Packets 


Emulator 
Module  X 


Switch  Boundary 

Figure  28.  Potential  Data  Flow-CPP  X  Module  Error 


68 


Figure  29  represents  the  potential  data  flows  available  while  the  switch  is 
powered  on,  there  is  potentially  an  attached  keyboard  and  mouse,  and  one  or  more 
computers  are  attached  and  powered  on  but  none  are  selected. 


Figure  29.  Potential  Data  Flows-No  CPP  Selected 
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Figure  30  represents  the  potential  data  flows  available  while  the  switch  is 
powered  on,  there  is  an  attached  keyboard  and  mouse,  and  a  computer  is  attached, 
powered  on,  and  selected. 


Figure  30.  Potential  Data  Flows-Button  X  Selected 
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